ffuf安装与使用教程

ffuf的安装

go环境安装

需要在kali linux下安装go环境

下载安装包

wget -c https://golang.google.cn/dl/go1.16.2.linux-amd64.tar.gz

进行解压缩

tar -xzvf go1.16.2.linux-amd64.tar.gz

拷贝到指定目录

我这里将他拷贝到了usr/local目录下

cp -r go /usr/local

设置环境变量

编辑环境变量,不同的环境略有不同。

有的是bashrc,有的是zshrc

我这里是后者,请自行修改

vim ~/.zshrc

在最下方添加

export PATH=$PATH:/usr/local/go/bin
 export GO111MODULE=on
 export GOPROXY=https://goproxy.cn

image.png

使其立即生效

source ~/.zshrc

查看go环境是否安装成功

go version

提示是1.16.2的版本,说明环境已经配置好了

┌──(FancyPig)-[/home/FancyPig/桌面]
 └─# go version
 go version go1.16.2 linux/amd64

ffuf的安装

下载并安装ffuf

下载ffuf

go get -u github.com/ffuf/ffuf

进行build

go build

然后返回上一层,将ffuf拷贝到/usr/local

cd ..
 cp -r ffuf /usr/local

设置ffuf环境变量

设置环境变量

vim ~/.zshrc

在最下方添加

export PATH=$PATH:/usr/local/ffuf

使其立即生效

source ~/.zshrc

ffuf的使用

目录扫描(Directory Brute Force)

创建字典库文件

在目录下创建wordlist-admin.txt字典库文件,这里是使用的kali linux里自带的后台目录

account.html
 account.php
 adm
 adm/admloginuser.php
 adm_auth.php
 adm.html
 admin
 admin2/index.php
 admin2/login.php
 admin2.php
 admin/account.html
 admin/account.php
 admin/admin.html
 admin/admin_login.html
 admin/admin-login.html
 admin/adminLogin.html
 admin/admin_login.php
 admin/admin-login.php
 admin/adminLogin.php
 admin/admin.php
 admin_area
 adminarea
 admin_area/admin.html
 adminarea/admin.html
 admin_area/admin.php
 adminarea/admin.php
 admin_area/index.html
 adminarea/index.html
 admin_area/index.php
 adminarea/index.php
 admin_area/login.html
 adminarea/login.html
 admin_area/login.php
 adminarea/login.php
 admincontrol.html
 admincontrol/login.html
 admincontrol/login.php
 admin/controlpanel.html
 admin/controlpanel.php
 admincontrol.php
 admin/cp.html
 admincp/index.asp
 admincp/index.html
 admincp/login.asp
 admin/cp.php
 adm/index.html
 adm/index.php
 admin/home.html
 admin/home.php
 admin.html
 admin/index.html
 admin/index.php
 administrator
 administrator/account.html
 administrator/account.php
 administrator.html
 administrator/index.html
 administrator/index.php
 administratorlogin
 administrator/login.html
 administrator/login.php
 administrator.php
 adminLogin
 admin_login.html
 admin-login.html
 admin/login.html
 adminLogin.html
 admin_login.php
 admin-login.php
 admin/login.php
 adminLogin.php
 adminpanel.html
 adminpanel.php
 admin.php
 admloginuser.php
 adm.php
 affiliate.php
 bb-admin
 bb-admin/admin.html
 bb-admin/admin.php
 bb-admin/index.html
 bb-admin/index.php
 bb-admin/login.html
 bb-admin/login.php
 controlpanel.html
 controlpanel.php
 cp.html
 cp.php
 home.html
 home.php
 instadmin
 joomla/administrator
 login.html
 login.php
 memberadmin
 modelsearch/admin.html
 modelsearch/admin.php
 modelsearch/index.html
 modelsearch/index.php
 modelsearch/login.html
 modelsearch/login.php
 moderator
 moderator/admin.html
 moderator/admin.php
 moderator.html
 moderator/login.html
 moderator/login.php
 moderator.php
 nsw/admin/login.php
 pages/admin/admin-login.html
 pages/admin/admin-login.php
 panel-administracion/
 panel-administracion/admin.html
 panel-administracion/admin.php
 panel-administracion/index.html
 panel-administracion/index.php
 panel-administracion/login.html
 panel-administracion/login.php
 rcjakar/admin/login.php
 siteadmin/index.php
 siteadmin/login.html
 siteadmin/login.php
 user.html
 user.php
 webadmin
 webadmin/admin.html
 webadmin/admin.php
 webadmin.html
 webadmin/index.html
 webadmin/index.php
 webadmin/login.html
 webadmin/login.php
 webadmin.php
 wp-login.php

当然,你也可以使用系统自带的字典库文件,Kali Linux自带的字典库文件在/usr/share/wordlists/目录下

或者使用github大佬提供的https://github.com/danielmiessler/SecLists/

里面按场景将字典库进行了分类,方便使用

进行扫描

使用字典库扫描指定站点的目录,一般可以通过该命令查询后台地址

ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ

查看结果

┌──(root@FancyPig)-[/home/FancyPig/桌面]
 └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ
 ​
         /'___\  /'___\           /'___\
        /\ \__/ /\ \__/  __  __  /\ \__/
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
          \ \_\   \ \_\  \ \____/  \ \_\
           \/_/    \/_/   \/___/    \/_/
 ​
        v1.3.0-git
 ________________________________________________
 ​
  :: Method           : GET
  :: URL              : https://test.iculture.cc/FUZZ
  :: Wordlist         : FUZZ: wordlist-admin.txt
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 ________________________________________________
 ​
 admin.php               [Status: 200, Size: 6, Words: 1, Lines: 1]
 webadmin                [Status: 301, Size: 162, Words: 5, Lines: 8]
 :: Progress: [134/134] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

可以扫描出根目录下的webadmin目录和根目录下的admin.php文件

递归扫描(Recursion)

如果我们想使用原有的字典库搜索到/webadmin/admin或者/webadmin/admin目录下的admin.php文件呢?

这时,我们可以通过递归的方式进行搜索

ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion

查看结果

┌──(root@FancyPig)-[/home/FancyPig/桌面]
 └─# ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ -recursion
 ​
         /'___\  /'___\           /'___\
        /\ \__/ /\ \__/  __  __  /\ \__/
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
          \ \_\   \ \_\  \ \____/  \ \_\
           \/_/    \/_/   \/___/    \/_/
 ​
        v1.3.0-git
 ________________________________________________
 ​
  :: Method           : GET
  :: URL              : https://test.iculture.cc/FUZZ
  :: Wordlist         : FUZZ: wordlist-admin.txt
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 ________________________________________________
 ​
 admin.php               [Status: 200, Size: 6, Words: 1, Lines: 1]
 webadmin                [Status: 301, Size: 162, Words: 5, Lines: 8]
 [INFO] Adding a new job to the queue: https://test.iculture.cc/webadmin/FUZZ
 admin                   [Status: 301, Size: 162, Words: 5, Lines: 8]
 [INFO] Adding a new job to the queue: https://test.iculture.cc/webadmin/admin/FUZZ
 admin/admin.php         [Status: 200, Size: 7, Words: 1, Lines: 1]
 admin.php               [Status: 200, Size: 7, Words: 1, Lines: 1]
 :: Progress: [134/134] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

我们发现除了之前的目录,还有/webadmin/admin目录和/webadmin/admin/admin.php文件

模糊扫描(Fuzzing Multiple Locations)

参数

如果我们想要扫描多个网站的后台目录,就可以定义多个变量,如W1W2

W1使用我们设置的网站列表site.txt

W2使用我们设置的后台目录字典库wordlist-admin.txt

命令

ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2

结果

┌──(root@FancyPig)-[/home/FancyPig/桌面]
 └─# ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2
 ​
         /'___\  /'___\           /'___\
        /\ \__/ /\ \__/  __  __  /\ \__/
        \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
         \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
          \ \_\   \ \_\  \ \____/  \ \_\
           \/_/    \/_/   \/___/    \/_/
        v1.3.0-git
 ​
 ________________________________________________
 ​
  :: Method           : GET
  :: URL              : https://W1/W2
  :: Wordlist         : W1: site.txt
  :: Wordlist         : W2: wordlist-admin.txt
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 ​
 ________________________________________________
 ​
 [Status: 200, Size: 6, Words: 1, Lines: 1]
     * W2: admin.php
     * W1: test.iculture.cc
 ​
 [Status: 200, Size: 12789, Words: 1535, Lines: 302]
     * W1: www.ddgbr.com
     * W2: admin-login.html
 ​
 [Status: 200, Size: 9341, Words: 495, Lines: 168]
     * W1: www.longkouquan.com
     * W2: admin-login.html
 ​
 [Status: 200, Size: 2431, Words: 106, Lines: 60]
     * W1: www.longkouquan.com
     * W2: admin.php
 ​
 [Status: 301, Size: 162, Words: 5, Lines: 8]
     * W1: test.iculture.cc
     * W2: webadmin
 ​
 [Status: 200, Size: 2502, Words: 106, Lines: 60]
     * W1: www.ddgbr.com
     * W2: admin.php
 ​
 [Status: 200, Size: 12314, Words: 634, Lines: 255]
     * W1: www.longkouquan.com
     * W2: home.php
 ​
 [Status: 200, Size: 27351, Words: 1295, Lines: 679]
     * W1: www.ddgbr.com
     * W2: home.php
 ​
 :: Progress: [402/402] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

这里我们扫描了三个网站的后台目录,可以看到具体的结果。

思考:如何防止被检测或者拦截

如果这里运行上千个网站,上千个目录,同时跑一个网站的目录,很有可能就被检测或者拦截了。

如何能够避免被检测或者拦截呢?

扫描顺序问题

这里的执行顺序,是先扫所以网站的字典库的第一个目录,然后第二个目录,第三个目录……

ffuf -u https://W1/W2 -w site.txt:W1,wordlist-admin.txt:W2

不建议使用的命令

如果你的命令是这样的话,会先扫描第一个网站的全部字典库内容,然后第二个网站,第三个网站……

ffuf -u https://W1/W2 -w wordlist-admin.txt:W2,site.txt:W1

结果,可以与第一个命令结果做对比,就很清晰的可以看出来二者执行顺序的区别了。

┌──(root@FancyPig)-[/home/FancyPig/桌面]
 └─# ffuf -u https://W1/W2 -w wordlist-admin.txt:W2,site.txt:W1
 ​
       /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
        \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/
          v1.3.0-git
 ​
 ________________________________________________
 ​
  :: Method           : GET
  :: URL              : https://W1/W2
  :: Wordlist         : W2: wordlist-admin.txt
  :: Wordlist         : W1: site.txt
  :: Follow redirects : false
  :: Calibration      : false
  :: Timeout          : 10
  :: Threads          : 40
  :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 ​
 ________________________________________________
 ​
 [Status: 200, Size: 6, Words: 1, Lines: 1]
 ​
    * W2: admin.php
      * W1: test.iculture.cc
 ​
 [Status: 301, Size: 162, Words: 5, Lines: 8]
 ​
    * W2: webadmin
      * W1: test.iculture.cc
 ​
 [Status: 200, Size: 12789, Words: 1535, Lines: 302]
 ​
    * W1: www.ddgbr.com
      * W2: admin-login.html
 ​
 [Status: 200, Size: 2502, Words: 106, Lines: 60]
 ​
    * W2: admin.php
      * W1: www.ddgbr.com
 ​
 [Status: 200, Size: 27351, Words: 1295, Lines: 679]
 ​
    * W2: home.php
      * W1: www.ddgbr.com
 ​
 [Status: 200, Size: 2431, Words: 106, Lines: 60]
 ​
    * W2: admin.php
      * W1: www.longkouquan.com
 ​
 [Status: 200, Size: 9341, Words: 495, Lines: 168]
 ​
    * W2: admin-login.html
      * W1: www.longkouquan.com
 ​
 [Status: 200, Size: 12314, Words: 634, Lines: 255]
 ​
    * W2: home.php
      * W1: www.longkouquan.com
 ​
 :: Progress: [402/402] :: Job [1/1] :: 1845 req/sec :: Duration: [0:00:01] :: Errors: 0 ::

因此,如果你的量足够大,那就可以用第一种扫描顺序,等待时间足够长,不容易被检测或者拦截。

静默模式输出(Using Silent Mode for Passing Results)

通过加入-s只输出结果,方便在目录较多的情况下进行观察。

命令

ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ  -s

结果

┌──(root@FancyPig)-[/home/FancyPig/桌面]
 └─#  ffuf -w wordlist-admin.txt -u https://test.iculture.cc/FUZZ  -s
 admin.php
 webadmin

模糊测试(fuzzing)

获取响应大小

curl命令

curl -s -H "test.iculture.cc" https://test.iculture.cc | wc -c

结果

575

GET请求

这里的wordlist-mod.txt文件里需要导入常见模块名称的字典库

ffuf -w wordlist-mod.txt -u https://test.iculture.cc/script.php?FUZZ=test_value -fs 575

如果找到对应的575响应大小的,就说明这个变量名称是正确的。然后可以在对变量后面的值进行模糊测试,下面的valid_name是上面找到的正确的变量名称,并过滤掉401返回值

ffuf -w /path/to/values.txt -u https://test.iculture.cc/script.php?valid_name=FUZZ -fc 401

POST请求

通过模糊测试POST请求,实际上可以实现暴力破解。这里需要在password.txt里导入常见的密码字典库,并过滤掉401返回值

ffuf -w password.txt -X POST -d "username=admin\&password=FUZZ" -u https://test.iculture.cc/login.php -fc 401
© 版权声明
THE END
喜欢就支持一下吧
点赞241赞赏
分享
评论 抢沙发

请登录后发表评论